Alternatives to Kerberos for passwordless server access

Reb asked:

I have a bunch of Linux servers and three Windows servers 2008 R2.
I would need a solution which would enable passwordless SSH login from each of those servers to all others. I could do this by generating keys on all machines and distribute them to all other servers, but this solution have low scalability. Whenever I add a server, I have to distribute it’s key to all servers.
Therefore I’d need a solution to centraly administer key and access to ALL servers.

Is KERBEROS a way to go for me?
Does anyone know of any silimlar or better solution on Linux?
Thanks.

My answer:


Kerberos is the best option, but you probably don’t want to set it up by hand. It has a lot of moving parts and is easy to get something wrong.

Instead, you should set up a domain and join all of the computers to the domain.

You have three options for setting up a domain for this environment:

  • FreeIPA. This is well supported in Linux, especially Red Hat-derived distributions, though it’s also available in other distributions. This is your best choice if all or almost all of the computers run Linux; and the few Windows computers can be made to join the domain with a little work.
  • Active Directory. The venerable Windows-based domain controller, which is your best choice if most of the computers run Windows.
  • Samba 4 pretending to be Active Directory. You will often see this in mixed environments, or in places where someone didn’t approve the budget for a Windows license to set up AD. It should be evaluated carefully as it may not support all features of modern functional levels.

In all cases Kerberos will be used underneath; but you don’t usually have to worry about the details, as they are handled for you.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.